Every business has an exposure and risk of becoming a cyber crime victim. While most businesses are familiar with insuring for traditional risks, there are a range of exposures that your business may need to be protected from. The following questionnaire provides in depth insight into risks you may not have previously contemplated.
Do you accept credit card payments?
If yes, any merchant or organization, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data is required to be PCI (Payment Credit Card Industry) compliant. This includes any debit, credit, and prepaid cards branded with one of the 5 associated/brand logos that participant in PCI SSC—American Express, Discover, JCB, Mastercard, Visa International. Using a third party processor does not exclude a company from PCI compliance. Check your merchant services agreement which outlines your exposure.
Do you process payroll?
If yes, you are responsible for the safekeeping of this data even if outsourcing to a payroll data company.
Does your business utilize computers/software to run any part of operations?
If yes, what is the potential loss of income should the system be non-operational?
Do you offer any employee benefits to your employees? (health insurance/life insurance/ disability)?
If yes, you have Personally identifiable information on your employees, spouses and children that you are required to protect, whether in paper or electronic format.
Does your company offer a wellness plan?
If yes, according to the Office for Civil Rights (enforcement body for HIPAA), providing workplace wellness programs to employees requires employers to gather health data through health risk assessments and various other means and those data must be protected under HIPAA. The HIPAA Safety Rule requires that all covered entities to implement technical, administrative and physical safeguards to prevent protected health information from being viewed or accessed by unauthorized individuals. Fines of more than $50,000 can be assess for each violation up to $1.5 million per calendar year. Even companies that are not covered entities may be subject to HIPAA rules should PHI be breached.
Does your company allow employees to connect mobile storage devices to office computers?
If yes, malware and virus can infect your system via these devices. If you have a policy that prohibits these activities, are you certain that all your employees follow the policy all of the time?
Have you ever received an email that appears to come from a known party directing you to transfer money?
If yes, this is an example of a phishing scheme.
Do you allow access to your system to outside parties using a VPN?
If yes, open portals are gateways into your system and are being utilized by hackers.
Do you conduct business over the internet or through your website?
If yes, what impact would your business experience if it was no longer operational?
Do you provide for an EFT option to either accept payments from your vendors or to pay your vendors?
If yes, you have personally identifying information for either individuals or businesses – i.e. bank account information.
Do you require employment applications?
If yes, you have personally identifiable information. Where is this information kept? What do you do with applicant information for individuals that you do not ultimately employ?
Do you store, process, transmit any personally identifiable personal or health information for employees, customers, patients, students, companies, vendors, etc?
If yes, you have a legal obligation to protect that information.
Contact us for additional information, or download our cyber liablity e-book to learn more about properly protecting the business you've worked so hard to build.
